At the beginning of the year Google started its Project Strobe effort to audit what access developers have to data on Google accounts and Android devices, and in March it found a significant bug in a Google+ People API. This bug would have allowed developers to access the profile information of users' friends, even if the data were not marked to be public. It was only static information though, such as name, email address, and occupation, but not posts and messages. However, while this was discovered and fixed in March 2018, it may have first been present in 2015 and because Google does not keep API log data longer than two weeks for Google+, the company does not have a means of identifying all of the users who may have been impacted. Looking at just the two weeks Google had at the time though, up to 500,000 profiles were potentially affected. No evidence was found that developers were even aware of this bug, or exploited it, and there was no evidence any data was misused.
If you are wondering why this bug that was found months ago is only now being discussed publicly, it is because Google chose to not go public with the information, according to the Wall Street Journal. Citing a memo reviewed by the paper that was prepared by Google's legal and policy staff, the senior executives were warned about disclosure leading to 'immediate regulatory interest' and that it would invite comparisons to Facebook's leak of information concerning Cambridge Analytica. This memo apparently also noted that while there is no evidence outside developers exploited the bug, it has no ways of knowing for sure either. This inability to prove the information, if collected was misused, is apparently the reason users were not notified.
Still, Google has decided to shutter Google+ for consumers as it is difficult to maintain and 90% of user sessions are less than five seconds long, making the investment not worth it, for that segment of use. However, a review of the service indicates enterprise customers enjoy what it offers and so new features purpose-built for businesses will be launched in the future, with details coming in the days ahead.
In addition to discussing the Google+ API bug, Google has also shared it will launch more granular Google Account permission control, with each permission request being a single dialog box so you can decline one but not another. New limits are going to be in place on apps accessing Gmail as well, and on Android, Google Play will limit what apps can get permission to access SMS data and the phone data, such as call logs.
Back to original news post